How to: use persistent & ezProxy

ezXSS Persistent mode and ezProxy

ezXSS, a powerful security testing tool, now includes a new feature: persistent sessions. This feature, when enabled in a payload setting, allows Cross-Site Scripting (XSS) to stay persistent in the user's browser, facilitating red-teaming man in the middle attacks, even on sites behind a firewall or within an internal network.

Persistent mode

Once this feature is enabled in the payload, all GET and POST requests made by the user will be executed in the background using JavaScript. The tool will display the new pages and send all data back to ezXSS. Furthermore, it's also possible to execute JavaScript live on the user, and view its console. This feature works out of the box and allows for an uninterrupted and persistent session.

The persistent mode code is still in beta, and might break or not work on websites which use a lot of javascript.

ezProxy

The ezProxy is another great addition to the suite of ezXSS functionalities. When a session is online, you can open a reverse proxy on the user. This feature allows you to use the user's browser/session/IP to send requests to the infected domain.

Starting a reverse proxy with ezProxy.py opens a proxy, and when connecting to it and sending requests to the domain, all requests are made by the infected user, permitting access to their session and even applications behind a firewall.

Setting up ezProxy

You can host the ezProxy on the same server that hosts the ezXSS installation or on your own computer, especially when dealing with shared-hosting providers. It's recommended to host it on the same server for SSL compatibility.

1. Update the .env file: ezProxy settings can be found in the .env file. The host should be 0.0.0.0 to allow connections from anywhere. Also the web socket port and proxy port can be changed if needed.

2. SSL Requirement: ezProxy only works with SSL. Hence, the SSL certificate and key file path should be added in the 'prCertFile' and 'prKeyFile' respectively.

3. Security Settings: For additional security, you can protect your own proxy you connect to with a username and password. This is an optional step but recommended to prevent unauthorized access.

4. Start ezProxy: Use the command python3 ezProxy.py to start ezProxy. You should see a response like:

[#] Websockets running on ezxss.com:30055
[#] Proxy running on ezxss.com:13000

Using ezProxy

1. Session Configuration: On the session page of the user you want to proxy, insert the websockets domain and port (e.g., 'ezxss.com:30055'). When you select Pass origin requests through proxy, the proxy will also proxy requests to the user when made to the infected domain. When not selected, these requests will be over your own IP. ezProxy will always start a proxy on a .ezxss domain. Now click on start, and ezXSS will show you which domains you can connect to with the proxy (based on if you clicked the checkbox)

2. Proxy Setup: Click 'start' and ezXSS will show you the domains you can connect to with the proxy. It will look like:

Proxy started on ezxss.com:30055 is accessible on http://34fZbLLLlhYZ5km1.ezxss and http://example.com

3. Browser Setup: In your browser, use an extension like 'FoxyProxy' to connect to the proxy. Ensure you enable the proxy to the domain and port shown in your ezProxy output (default is port 13000). This proxy can also be setup to only proxy through certain domains, or .ezxss TLD's. This allows you to still use the browser while on the proxy on other domains (When the proxy is connected to all, domains outside of the started sessions won't load).

4. Accessing the Session: Now, you can access the infected user's session by visiting the provided URLs. All requests made in your browser will be sent by the infected user in the background.

This powerful new persistent session feature and the ezProxy addition enhance the capabilities of ezXSS, making it an even more effective tool for security testing and red teaming exercises.